Keeping up with the latest security news isn’t easy. It seems like every week there’s a new threat on at least one of our devices to watch out for. This time, though, it’s a cool thing: If you have a Samsung Galaxy or, more recently, a Google Pixel, hackers may only need your phone number to break into your phone.
The Zero Day Project, a security research team at Google, discovered as many as 18 zero-day vulnerabilities in Samsung Exynos modems late last year through early 2023. Zero-day vulnerabilities are dangerous because the bad guys know about them before the software and hardware vendors do, which raises a high probability of attacks.
Worse in this case, four of the 18 zero-day vulnerabilities allow for what is called “Internet-to-baseband remote code execution,” where hackers can take over your phone without any input from you. All they need to know is your phone number, and they’re in, assuming you have an affected device.
Samsung’s Exynos modem (not to be confused with the Exynos SoC, which is common in Galaxy devices outside the U.S.) is the part of the smartphone that provides support for calls. Project Zero considers this to be a complete list of affected devices:
Samsung mobile devices, including the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
Mobile devices from vivo, including the S16, S15, S6, X70, X60 and X30 series of mobile devices
Google’s Pixel 6 and Pixel 7 series devices
Any vehicle using the Exynos Auto T5123 chipset
Updates are available here to protect against this latest Android security threat
In short, it’s bad news. But there’s good news. Patches and updates are already available for users to fix their devices. For example, Google fixed all four critical vulnerabilities with the March update. If you have a Pixel 6 or Pixel 7, make sure you update as soon as possible if you haven’t already protected yourself.
The news from Samsung is similar. The company patched five of the six known security vulnerabilities in the March update, which is interesting considering that Project Zero pointed out four critical vulnerabilities. More importantly, Samsung doesn’t consider the six vulnerabilities it identified to be “critical. However, if they are related to these zero-day modem vulnerabilities, I would disagree.
How to protect your Samsung Galaxy while waiting for the final patch
So the immediate action to take is to update your Pixel or Galaxy device as soon as possible. But there are still unpatched vulnerabilities on the Galaxy side that Samsung says should be ready by April. To beef up security while you wait, you may want to consider disabling wifi calling, which helps prevent this Internet-to-baseband remote code execution. To do this, go to Settings > Connections and disable Wi-Fi calling.
Disabling VoLTE (Voice over LTE) is another solution, but there are two problems. First, it affects your ability to make and receive calls, but more importantly, it’s not really feasible for you because it’s now controlled by your carrier. You can solve this problem by switching your network mode to “2G/3G” …… but who wants to live like that? In my opinion, get your phone connected to LTE or 5G, disable wifi calls, and wait for Samsung to release the final patch.
